Philip Zimmermann

Author's preface to the book: "PGP Source Code and
Internals"

Published by The MIT Press, 1995. ISBN 0-262-24039-4.
(no longer in print)

This book contains all of the C source code to a software
package called PGP (Pretty Good Privacy). PGP is the most widely
used software in the the world for the encryption of electronic
mail. It uses public key cryptography to let you communicate
securely with people you've never met, without the prior exchange
of keys over secure channels.

Why publish an entire book (and a big one at that) comprised
mainly of boring source code for a computer program? Well, there
are some really good reasons. It concerns your civil liberties, and
requires a bit of explaining, but it's actually quite an
interesting story.

Cryptography is a surprisingly political technology. In recent
years, it has become more so, with the controversy surrounding the
Government's Clipper chip, the FBI wiretap legislation, export
controls on cryptographic software, and the balance of power
between a government and its people. Historically, cryptography has
been used mainly by governments for diplomatic and military
traffic. But with the coming of the information age, ubiquitous
personal computers, modems, and fax machines, this is changing.
With an emerging global economy depending more and more on digital
communication, ordinary people and companies need cryptography to
protect their everyday communications. Law enforcement and
intelligence agencies want access to all of our communications, to
catch people who break the law, and detect threats to National
Security. Civil libertarians want to keep the Government out of our
private communications, to protect our privacy and maintain a
healthy democracy.

PGP is free software. Anyone may download it on the Internet, or
from many Bulletin Board Systems. It has stirred up some
controversy, because it has become a worldwide de facto standard
for Email encryption, despite US export restrictions. Initially
published in the US, this package has spread by the diffusion that
is common to free software packages, with its "forbidden" flavor
giving it an extra popularity kick. Oddly enough, the US Government
may have inadvertently contributed to PGP's spread, by making it
more popular because of my case. I am under criminal investigation
because of PGP's spread overseas, which the Government holds is in
violation of US export restrictions. My case has captured a lot of
press attention, in part because journalists realize that if an
American can be imprisoned for electronically publishing something
in the USA, then journalists may themselves be at risk in
tomorrow's world of electronic newspapers on the information
highway.

Another reason why the press is so interested in my case is the
Government's attempts to suppress public access to strong
cryptography. The Clinton administration is trying to get the phone
companies to put a special encryption device into every telephone.
They expect it to take many years to accomplish this. When this
"Clipper chip", as it's called, is manufactured by the Government,
they place a unique encryption key in each chip, and keep a copy of
the keys in a vast government database, for wiretap purposes. Your
telephone will someday have Big Brother inside. The Government
hopes that the American public will accept this
government-controlled cryptography, and is trying to discourage
other forms of cryptography that they do not control. One way that
they discourage it is by the use of export restrictions on
cryptographic software. This draws PGP into the press
spotlight.

The US State Department has a list of items that may not be
exported without a license. The Munitions List. Mostly weapons, but
included in that is encryption software. Encryption software may
not be exported without a license, and that license is hard to come
by if the software uses advanced encryption techniques that the
Government can't easily break. Software like PGP.

The State Department allows items on the munitions list to be
exported if they grant a Commodities Jurisdiction (CJ) for it,
allowing it to be handled under the jurisdiction of the Commerce
Department instead of the State Department. A CJ allows the item to
be legally exported from the US. It would be politically difficult
for the Government to prohibit the export of a book that anyone may
find in a public library or a bookstore. The State Department has
already granted a CJ for another book containing cryptographic
source code, Bruce Schneier's "Applied Cryptography". So, we're
putting the PGP source code in a book, which may be scanned in with
OCR (optical character recognition) software. And we are applying
for a CJ. It will be interesting to see where this process
leads.

PGP uses the best encryption algorithms available in the open
academic literature -- the algorithms that have withstood the most
peer review, and are rooted in the best design principles of modern
cryptography. PGP version 2.6.2 uses RSA for key management and
digital signatures, the IDEA cipher for bulk data encryption, and
MD5 for a secure one-way hash for digital signatures. And it
compresses the data before encrypting it, using the ZIP
algorithm.

PGP was developed under difficult conditions, with no funding,
in a race against time in 1991 to get it out before it became
illegal to publish software of this type. Senate Bill 266, the 1991
anti- crime bill, had a measure buried in it that foretold the
shape of things to come. It was a "sense of Congress" resolution,
that said that communications system implementors should provide a
way for the Government to obtain the plaintext contents of traffic.
The resolution was defeated shortly after PGP was initially
published, due to public outcry from civil liberties groups. PGP
was published as freeware, in an effort to preempt the possibility
that the Government could suppress this technology later.

There are other books in the computer science section of your
bookstore that have source code examples of various algorithms.
These books teach good programming style by providing good code
examples. This book is mostly not like that. Although it does have
some instructive examples of how to implement certain algorithms,
one might observe that this body of source code is not the best
example of clean modularity. The code is the way it is. The trying
conditions of PGP's development led to expedient approaches to
implementation, sometimes at a cost of elegance. As
other software engineers all over the world contributed their own
development efforts to PGP after version 1.0 was published in 1991,
they inherited a mishapen crystal nucleus to accrete more code
onto, and modified and remodified the code under pressures of
expedience. Very little of my original code remains in PGP, mostly
comprised of the multiprecision integer library, which I first
wrote in late 1986. It is unfortunate that cleaner examples of code
from my 20-year career as a software engineer could not have served
as a basis for what would eventually become such a widely
distributed body of source code that so many other programmers
would look at.

Despite the inelegance of the code, the quality of the
cryptography and key management is very good. Good enough to make a
mark upon the world in such a way that no other cryptography
software ever has, upsetting some elements of the US Government, as
well as a number of foreign governments.

PGP would not be where it is today without the volunteer efforts
of many talented programmers from all over the world. Peter Gutmann
and Branko Lankester contributed much effort to PGP development.*
Jean-loup Gailly contributed his ZIP compression routines. Many
others contributed code, and they are named in the comments of the
source code. Other people contributed their non- programming
efforts to the PGP project, including my own legal defense team,
including Phil Dubois, Eben Moglen, Ken Bass, and Curt Karnow.
Other lawyers that provided legal advice include Tom Nolan and
Chuck Marson.

I'm writing some of this preface in the air between Bucharest
and Budapest, on a speaking tour about privacy in the information
age. In Bucharest, I saw the terrible legacy of a system designed
by men who craved certainty, not trusting the people with
individual freedom. Those men would have loved the Clipper chip.
The people there now are glad to have their freedom, and they
understand my concern about the power of Government. They already
get it -- and they don't understand why we Americans don't.

A book comprised entirely of thousands of lines of source code
looks pretty dull. But then so does a nondescript fragment of
concrete -- unless it happens to be a piece of the Berlin Wall,
which many people display on their mantels as a symbol of freedom
opening up for millions of people. Perhaps in the long run, this
book will help open up the US borders to the free flow of
information.

Philip R. Zimmermann
Boulder, Colorado
November 1994

* Another volunteer who worked on software development for PGP 2.0 was Hal Finney, but I did not mention him in this preface in 1994 because it was not safe to do so, since Hal lived in the US within easy reach of US prosecutors.